Safe from the Spam Flood?

There's new technical evidence that recent warnings about an impending email
tsunami may have been a false alarm.

Earlier this year, experts at Spamhaus.org warned that
proxy-based spamware programs, including Send-Safe, had added a new feature that
could frustrate efforts to blacklist network addresses used by junk emailers. One report quoted Spamhaus leader
Steve Linford as predicting that "internet users are going to be flooded in
spam" as a result of the new development.

But researchers at CipherTrust have since
discovered a debilitating design problem in Send-Safe's feared new "ProxyLock" feature--a
weakness so severe that it makes the enhancement unusable in most cases.

"The way they implemented ProxyLock is seriously flawed, and that's why we're
not seeing any evidence that spammers are switching to it," said CipherTrust
research engineer Dmitri Alperovitch, who recently disassembled the Send-Safe
software.

Like a lot of spamware programs, Send-Safe has long relied on proxy computers
(often virus-infected Windows PCs running an internal SMTP server) to send
spam without revealing the spammer's true IP address. But the IP addresses
of those proxies are eventually discovered by blacklist operators such as Spamhaus,
and the addresses are blacklisted.

The new ProxyLock feature, which was added in Send-Safe version 2.20, is intended to send out messages instead through
the mail servers affiliated with the ISP responsible for the proxy. In other
words, if Send-Safe is configured to use a Trojaned PC connected to the internet
via Comcast, the spamware will attempt to send messages out through the Comcast
SMTP server, not via an internal SMTP server in the proxy.

Since most blacklists try to avoid collateral damage, it's unlikely they would
blacklist a major ISP's primary mail servers. Hence the fears that Send-Safe's
ProxyLock could enable spammers to circumvent DNS-based filters.

But Alperovitch found something interesting while studying ProxyLock.

When Send-Safe users select the software's "use ProxyLock option,"
the program looks up the mail exchange (MX) records associated with the hostnames
of the proxies--typically, the MX record of the ISP whose network the zombie
is connected through. The program then attempts to forward the email through
the servers that are listed in the MX records.

The problem with this approach is that the MX record contains the servers
that accept mail for the target domain. It does not necessarily contain
the list of servers that are used for outbound SMTP connections by ISP customers.

In fact, says Alperovitch, almost all large ISPs separate their inbound and
outbound mail servers, due to the need to perform different types of processing
on each kind of server. (For example, spam filtering on inbound messages, or
traffic shaping on outbound emails.)

Consider the example of a proxy PC connected to the internet via Comcast cable.
The Send-Safe software would do a look-up on the MX record for Comcast.net,
which shows gateway-s.comcast.net and gateway-r.comcast.net as
the domain's mail exchanges. But attempts to send spam to non-Comcast addresses
through those servers will fail with an SMTP "551" error
code. That's because Comcast's outbound SMTP servers are accessible via
the hostname smtp.Comcast.net.

Similarly, if using a proxy connected to the internet through Verizon Online,
Send-Safe would attempt to send spam using relay.Verizon.net, as shown
in the domain's MX record. But legitimate Verizon Online users use outgoing.Verizon.net as
their SMTP server.

Since the majority of spam proxies come from large ISPs such as Comcast and
Verizon, spamware programs that depend on MX look-ups will have difficulty
taking advantage of proxy-to-SMTP spamming, says Alperovitch.

A better approach might be to check the SPF record, if any, for the proxy's
domain, which could reveal the IP addresses of authorized outbound mail servers.
But that technique could fail as well, says Alperovitch, since the IP address
of the server that accepts SMTP connections from subscribers may be different
from the IP address that's stamped in the email headers seen by receiving mail
systems.

John Levine, author of The Internet For Dummies, says spamware programs
might do better to try to obtain SMTP server settings from the email client
on the proxy computer. Qualcomm's Eudora, for example, stores this information
in a file called Eudora.ini, while Microsoft Outlook uses a section of the
Windows system registry called OMI Account Manager. (Many viruses and worms
currently retrieve information from and/or modify the registry keys in the
OMI Accounts Manager section.)

But even if a proxy-to-SMTP spamware program could identify the proper outbound
mail server, many ISPs employ other forms of protection against outbound spamming,
such as rate limiting and authentication, which could foil the ProxyLock feature.

In response to CipherTrust's findings, Linford acknowledged that ProxyLock
would fail in cases involving major ISPs. But he said many ISPs are still vulnerable.

"This trick will still find tons of MX mail servers of small and medium-sized
ISPs which will happily relay if the message is coming from a client IP," says
Linford.

Linford points to recent research from MessageLabs as proof that spammers
have had success in using ProxyLock. The email security and filtering firm reported that
the percentage of spam emanating from proxies dropped from 79 percent
in October 2004 to 59 percent in February 2005. MessageLabs said the shift
suggests that spammers had migrated toward the use of the new Send-Safe feature.

In any case, no one has come forward with data showing that spammers are actually
using the ProxyLock feature; the increased volumes of spam from ISP mail servers
could simply be the result of hijacked accounts, throwaway accounts, webmail
spamming, and other tactics, says Alperovitch.

Still, someone at the SpecialHam.com spammer's forum was offering a "proxy-to-SMTP" service
last week. According to a
message at the site by someone calling himself Phantom, "I can take any
list of mailing proxies and run them through a special custom prog [that] will
spit out the corresponding resolved domains [and] the corresponding SMTP mail
servers of that base domain."

While experts may continue to debate the seriousness of the ProxyLock
threat, one thing is fairly certain. Send-Safe is having difficulty
distributing its software to would-be customers. The Russian company's
domain, send-safe.com, is currently not responding, nor is a recent
replacement, send-safe.biz. However, copies of the program are still
available on the internet, and existing installations of the program remain
capable of downloading fresh proxies from Send-Safe.

Brian McWilliams
is the author of Spam Kings and is an investigative journalist who has covered business and technology for web magazines including Wired News and Salon, as well as the Washington Post and PC World, Computerworld, and Inc. magazines.